EU DPAs ask Google to upgrade its Privacy Policy practices

Google’s controversial changes introduced in March to its European privacy policy have again been met with resistance by the EU Data Protection Authorities. The DPAs says that Google's privacy policy provides incomplete information and makes possible uncontrolled combination of data across services. They stressed in a press conference held today at the CNIL, France’s Data Protection Commission, that Google must respect the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object.

Google needs to provide clearer information to users on its personal data processing operations, the DPAs say. At the moment, a Google service's user is unable to determine which categories of personal data are processed for this service, and the exact purposes for which these data are processed.

The DPAs ask Google to clarify how it combines data across its services, as they consider that the sharing of personal data across Google services has become too general with the new Privacy Policy. In practice, any online activity related to Google (use of its services, of its Android system or consultation of third-party websites using Google's services) can be gathered and combined. For some of the purposes related to the combination of data, Google does not collect the unambiguous consent of the user, the DPAs say.

Finally, the group says that Google has not provided a maximum retention period for the data.

Earlier this year, when the DPAs asked Google to “pause” the new consolidated privacy policy, Google pursued the changes as planned.

Spain:The application of Spain’s data protection law to online services and social media is covered in several sessions in PL&B’s Privacy Officers Network Briefing and Roundtable with Spain’s Data Protection Authority which takes place next month on 13 and 14 November in Madrid. The sessions cover online marketing (including a Supreme Court case brought by Spain’s Direct Marketing Federation); cookies; use of personal data and social media; legitimate interests as a legal basis for processing in the absence of consent; and the right to be forgotten – Spain’s DP Authority’s case for sanctions due to a refusal to delete personal data.